Atomic Edge Security

2.5.3

• FIX: Removed hardcoded malware signature strings from scanner that triggered ClamAV false-positive (Txt.Backdoor.Webshell-9891631-0) on hosting providers
• CHANGE: Refined plugin patterns now sourced exclusively from API instead of local hardcoded strings

2.5.2

• FIX: CDN toggle not persisting after save — hourly cron sync was overwriting CDN data instead of merging
• FIX: Saving CDN settings from Minification or Advanced tabs incorrectly disabled CDN
• FIX: Removed debug logging from CDN settings save handler

2.5.1

• CHANGE: WAF Logs “Block IP” button renamed to “Blacklist” — now adds IPs to edge-level IP Blacklist instead of Adaptive Defense
• NEW: Dev mode support for WAF logs blacklist button
• NEW: AJAX nonce auto-refresh — expired nonces are transparently refreshed without page reload

2.5.0

• NEW: Vulnerability scanner now works without an API key — free scans limited to 3 per day per IP
• NEW: Rate limit exceeded warning displayed in dashboard when daily scan limit is reached
• CHANGE: Vulnerability scanner availability no longer gated on API connection status

2.4.8

• NEW: Added Blocked IPs tab to Adaptive Defense with IP Address, Threat Score, WAF Hits, Type, Blocked, Expires columns and actions (Extend, Make Permanent, Unblock)
• FIX: Adaptive Defense block actions now route through dashboard Blocked IPs (application-layer) instead of Access Control IP blacklist (edge config)
• NEW: Manual block form on Blocked IPs tab with configurable duration (1h, 6h, 24h, 7d, 30d, permanent)
• NEW: Extend block (+1 day) and Make Permanent actions for timed blocks
• CHANGE: WAF Logs “Block IP” button renamed to “Blacklist IP” to clarify it adds to edge-level IP blacklist
• NEW: Added extend_block() and make_permanent() API methods and AJAX handlers with dev mode support

2.4.7

• FIX: Confidence now displayed as percentage (e.g. “90%”) instead of raw decimal (“0.90%”) in Adaptive Defense threat detection details
• FIX: Dev mode simulation data now uses 0.0-1.0 decimal values for confidence to match real API format

2.4.6

• FIX: Adaptive Defense dev mode now provides simulated data for all 8 AJAX endpoints (overview, actor profiles, threat detections, detection detail, block/unblock IP, dismiss detection, delete actor)
• FIX: Fixed duplicate detail rows appending on repeated “View Details” clicks in Threat Detections tab by replacing invalid

<

div>-wrapped template with HTML5 element
* FIX: Added JS field name fallback chains for API response compatibility across versions
* NEW: Added 36 new tests for Adaptive Defense dev mode simulation and AJAX interception

2.4.5

• NEW: Added internationalization (i18n) support with load_plugin_textdomain() and .pot translation template
• Plugin is now translatable via WordPress.org GlotPress (translate.wordpress.org)
• Supports English (Canada) and all other WordPress locales

2.4.4

• FIX: Fixed fatal error “Class AtomicEdge_Cron not found” on plugin activation by ensuring Cron class is loaded before use in activation hook

2.4.3

• FIX: Corrected push.exclude to properly exclude top-level assets folder while preserving admin/assets
• FIX: Removed nested trunk folder from 2.0.0 tag in WordPress.org SVN
• FIX: Removed .dccache from SVN trunk
• FIX: Cleaned up malware signature patterns from test files to prevent false positives

2.4.2

• FIX: Removed hardcoded malware signatures from test files to prevent false positives from external security scanners
• Tests now use API-provided patterns via mocked API instead of inline signature strings

2.4.1

• FIX: Removed assets folder from plugin trunk/tags in WordPress.org SVN (assets should only exist in svn/assets for directory page)
• FIX: Cleaned up all existing SVN tags that incorrectly contained assets folder

2.4.0

• COMPLIANCE: Added External Services section to readme documenting API usage, data transmission, and links to Terms of Service and Privacy Policy
• COMPLIANCE: Text domain updated from ‘atomicedge’ to ‘atomic-edge-security’ to match WordPress.org plugin slug
• COMPLIANCE: All register_setting() calls now include sanitize_callback for proper input sanitization
• COMPLIANCE: Excluded WordPress.org directory assets from plugin zip file (assets/ folder now only syncs to SVN assets directory)

2.3.0

• NEW: Malware scanner signatures now fetched from public API (no API key required)
• This allows users to scan their site before registering with Atomic Edge
• FIX: API key migration for users who had raw keys stored (automatic re-encryption on load)
• IMPROVED: Test coverage for scanner with mocked API signatures

2.2.2

• FIX: Malware scanner signatures moved to remote API to prevent hosting providers from flagging the plugin as malware
• Signatures are now fetched from the Atomic Edge API and cached locally for 24 hours
• This resolves false positives from security scanners detecting plaintext malware patterns in the plugin source code

2.2.1

• FIX: Minification was running even when disabled (setting value ‘off’ is not empty)
• FIX: Clear minification cache button now returns proper response structure
• FIX: Test CDN button now uses correct dynamic path for any installation
• NEW: Weekly scheduled cleanup for minification cache (removes files older than 7 days)
• IMPROVED: Added 5 new tests for minification and cache cleanup

2.2.0

• NEW: Adaptive Defense – AI-powered threat detection and automatic IP blocking
• View real-time threat status and blocked IPs from the WordPress admin
• Actor profiles with behavioral analysis metrics
• Threat detection log with AI confidence scores
• Requires Atomic Edge Pro or Enterprise plan
• IMPROVED: API contract validation for better error messages

2.1.0

• MAJOR PERFORMANCE: Malware scanner now 100x faster through batch database operations
• NEW: Quick rejection pre-filter skips 93%+ of files before expensive regex matching
• NEW: Combined regex patterns per category reduce PCRE overhead
• NEW: Batch queue claiming (100 items per query vs 1) dramatically reduces DB load
• NEW: Batch completion marking (single UPDATE for batch vs per-file)
• NEW: Debug test button (WP_DEBUG only) for measuring scanner performance
• IMPROVED: Time budget increased to 45s max for capable servers
• IMPROVED: Native file_get_contents() for reads (WP-compliant, reduces overhead)

2.0.0

• MAJOR: CDN architecture overhaul – simplified URL management for better reliability
• REMOVED: User-configurable CDN URLs (prevented URL corruption bugs from form serialization)
• NEW: Developer constant support – define ATOMICEDGE_CDN_DEV_URL in wp-config.php for local testing
• IMPROVED: CDN enable logic simplified – now only checks local switch + CDN URL availability
• REMOVED: Dashboard status gating – CDN works with local settings only (no API calls required)
• FIXED: Consistent UI design pattern across all admin pages (logo, wrapper classes, headings)
• FIXED: 2FA settings page now matches design pattern of other plugin pages

1.9.9

• IMPROVED: Malware scanner now adapts to server performance (faster on capable servers)
• Scanner time budget auto-detects based on max_execution_time setting
• Adaptive polling reduces overhead on slow/shared hosting
• On servers with 30s timeout: ~15s per step; with 300s+: ~20s per step

1.9.8

• FIX: 2FA buttons (enable/disable) now work – JS was checking for wrong element ID after anchor fix

1.9.7

• FIX: 2FA encryption now works with sodium_compat polyfill (servers without native libsodium extension)
• sodium_memzero() calls now only execute when native libsodium is available

1.9.6

• FIX: 2FA setup link from admin notice now correctly scrolls to the 2FA section on profile page
• Fixed anchor ID mismatch (was #atomicedge-2fa, now #atomicedge-2fa-section)
• Added smooth scroll animation when navigating via hash link

1.9.5

• IMPROVED: Added comprehensive debug logging for 2FA enrollment when WP_DEBUG is enabled
• Debug logs show exact failure point in enrollment flow for easier troubleshooting
• Logs cover: crypto availability checks, encryption steps, user meta operations

1.9.4

• FIX: Removed problematic sodium_memzero() call on plaintext that could cause encryption failures
• IMPROVED: Encryption errors now show the exact underlying error message for easier diagnosis

1.9.3

• IMPROVED: 2FA enrollment now shows specific error messages (encryption unavailable, encryption failed, database issues)
• Better diagnostics for troubleshooting 2FA setup failures

1.9.2

• FIX: 2FA enrollment now works on servers with persistent object caching (Redis, Memcached)
• Added cache bypass for enrollment state verification
• Added debug logging for 2FA enrollment failures

1.9.1

• SECURITY: Fixed potential XSS vulnerability in JavaScript error message display (admin.js)
• Security audit: Verified proper escaping for all external data (WAF logs, analytics, 2FA audit logs)

1.9.0

• NEW: 2FA Audit Log – Security audit trail for all 2FA-related events
• Event logging: enrollment, disable, login success/failure, backup code usage, rate limiting
• Filterable log viewer with pagination (by user, event type, date)
• 30-day statistics dashboard with success/failure metrics
• Security events section highlighting failed logins and suspicious activity
• CSV export functionality for compliance and reporting
• 90-day log retention with automatic cleanup
• NEW: 2FA User Management – Admin interface for managing user 2FA status
• View all users with 2FA status (enabled/disabled)
• Search and filter users by 2FA status
• Admin reset capability for locked-out users
• Shows backup code counts and policy compliance status
• Confirmation dialog for reset actions with admin audit logging

1.8.0

• NEW: 2FA Enforcement Policy – Require two-factor authentication for specific user roles
• Role-based 2FA enforcement (Administrator, Editor, etc.)
• Configurable grace period before enforcement (1-90 days)
• Grace period bypass option – allow login during grace period with reminders
• Admin dashboard showing compliance status and non-compliant users
• Admin notice reminders for users who need to set up 2FA
• Dismissible reminders (24-hour reset) for less intrusive notifications
• Policy settings page with intuitive UI under Atomic Edge menu

1.7.0

• NEW: Two-Factor Authentication (2FA) for WordPress login protection
• TOTP authenticator app support (Google Authenticator, Authy, etc.)
• Backup recovery codes with secure generation and one-time use
• Encrypted secret storage using libsodium
• Rate limiting on failed 2FA attempts with progressive lockout
• 2FA settings integrated into User Profile page
• Client-side QR code generation for authenticator app setup

1.6.0

• Admin notice when retired Shift8 CDN plugin is active

1.5.0

• Malware Scanner: Cancel/Reset buttons now match Vulnerability Scanner sizing and spacing

1.4.0

• Malware Scanner: Cancel/Reset buttons now match Vulnerability Scanner styling
• Malware Scanner: Suspicious Files table formatting fixed
• Malware Scanner: Quick scan now skips excluded paths earlier (e.g., .git), reducing noise and improving speed
• Malware Scanner: Progress now uses stable totals and ETA
• Scanner: Core checksum verification now uses WordPress core verifier

1.3.7

• Fixed CDN settings sync: Brotli and image optimization now properly sync between plugin and AtomicEdge dashboard
• JS/CSS minification settings are now plugin-local only (they don’t require edge-side configuration)
• CDN “Refresh Status” now pulls latest edge-side optimization settings from API

1.3.0

• Text domain updated to match WordPress.org plugin slug

1.3.3

• WordPress.org Plugin Review Team compliance: refactored path handling to use WordPress API functions instead of internal constants (ABSPATH, WP_PLUGIN_DIR, WP_CONTENT_DIR, WPMU_PLUGIN_DIR)
• WordPress.org Plugin Review Team compliance: AJAX handlers now sanitize all inputs at point of retrieval
• WordPress.org Plugin Review Team compliance: improved file inclusion guards for test compatibility
• Added recursive array sanitization support for complex AJAX request data

1.2.0

• Malware scanner: resumable scanning with DB-backed queue, improved progress reporting, and live activity log
• Malware scanner: quick (PHP-only) vs thorough (all files) scan modes (quick is default)
• Malware scanner: added Cancel Scan and Reset Scan controls (reset clears both state and saved results)
• Malware scanner: added optional AtomicEdge plugin integrity verification via shipped SHA-256 manifest
• Scanner diagnostics: clearer warnings for unreadable/partial scans and improved false-positive tuning

1.0.6

• Updated malware scanner results to show full file paths
• Improved vulnerability scanner UX (scan summary jump links and consistent “More Info” links)
• Simplified Settings page to focus on connection and core configuration

1.0.0

• Initial release
• WAF integration
• Analytics dashboard
• IP whitelist/blacklist management
• Geographic access control
• Malware scanner